A Distributed Denial of Service (DDOS) attack primarily refers to an attack in which an attacker uses a control host as a stepping stone (for example, multiple levels and/or multiple layers) and controls a large number of infected, and thus controlled, hosts to form an attacking network to launch massive denial of service attacks on victim hosts.
The DDoS attacks may use the attacking network to launch the following attacks onto the victim hosts, for example, Internet Control Message Protocol (ICMP) flood attack, User Datagram Protocol (UDP) flood attack, and/or Synchronize (SYN) flood attack. The DDoS attack usually amplifies the attack of a single attacker exponentially, thus causing significant impact on a user host or even leading to a crash of the user host, and causing severe network congestion.
Currently, by using virtual machine software, one or more virtual machines may be simulated on one physical computer. The virtual machines work as physical computers. For example, operating systems and applications may be installed on the virtual machines, and the virtual machines may access network resources. The applications that run in a virtual machine work as applications in a physical computer.
A cloud computing system (a “cloud system” for short) may be considered as a cluster system that performs distributed computing, storage, and/or management on universal hardware. The cloud system provides high-throughput data access and is applicable to massive data computing and storage.
With the development of the cloud system technology, a cloud system may include tens of thousands of virtual machines, and therefore security protection of the virtual machines in the cloud system is attracting more and more attention. It is especially important to prevent the DDoS attacks between the virtual machines in the cloud system. However, an existing DDoS prevention mechanism is primarily prevention against the DDoS attacks between different cloud systems, between a cloud system and the hosts outside the cloud system, and between the hosts between non-cloud systems, but is not applicable to preventing the DDoS attacks between virtual machines in a cloud system.